如何允许 protocol-41 (6in4) 通过 GCE 防火墙?

How to allow protocol-41 (6in4) through the GCE firewall?

作为权宜之计,直到 Google 支持 native IPv6 on Google Compute Engine, I'd like to configure a 6in4 (IP protocol 41) tunnel

我添加了防火墙规则以允许 VM 网络上的协议 41:

Name        Source tag / IP range  Allowed protocols / ports  Target tags
allow-6in4  216.66.xxx.xxx         41                         Apply to all targets

并在/etc/network/interfaces中配置隧道:

auto 6in4
iface 6in4 inet6 v4tunnel
  address 2001:470:xxxx:xxxx::2
  netmask 64
  endpoint 216.66.xxx.xxx
  gateway 2001:470:xxxx:xxxx::1
  ttl 64
  up ip link set mtu 1280 dev $IFACE

并且ping6 2001:470:xxxx:xxxx::1并验证了 6in4 流量是出站的:

$ sudo tcpdump -pni eth0 host 216.66.xxx.xxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:52:03.732841 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 1, length 64
22:52:04.740726 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 2, length 64
22:52:05.748690 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 3, length 64  

我临时将端点更改为可以 运行 tcpdump 的地址,并确认数据包没有到达目的地。我什至自己尝试了 NAT,以防 GCE 没有对 6in4 数据包执行此操作,但运气不佳 (iptables -t nat -A POSTROUTING -p ipv6 -j SNAT --to-source 130.211.xxx.xxx)。

有没有人获得了在 GCE VM 上工作的 6in4 隧道?是不是我遗漏了一些神奇的设置?

TL;DR:你不能。

根据 Networking and Firewalls:

Traffic that uses a protocol other than TCP, UDP, and ICMP is blocked, unless explicitly allowed through Protocol Forwarding.

根据 Protocol Forwarding:

Google Compute Engine supports protocol forwarding for the following protocols:

AH: Specifies the IP Authentication Header protocol.

ESP: Specifies the IP Encapsulating Security Payload protocol.

SCTP: Specifies the Stream Control Transmission Protocol.

TCP: Specifies the Transmission Control Protocol.

UDP: Specifies the User Datagram Protocol.

因此,协议转发规则需要用于以下 IP protocol numbers 之一:

  • 51 (AH)
  • 50(ESP)
  • 132 (SCTP)
  • 6 (TCP)
  • 17 (UDP)

Protocol Forwarding页面明确表示不支持其他协议号,如41(6in4)

Note: This is an exhaustive list of supported protocols. Only protocols that appear here are supported for protocol forwarding.